Our setup includes
- A primary VPC where the we have compute engines and Postgres databases that are created with private IP. Let's refer it as main-network
,
- Vault deployed in it's own VPC and accessible via Loadbalancer (as per the best practice). Let's refer it as vault-network
.
Within main-network
compute instances are able to access the DBs with the private IP as the DBs where created with main-network
as the parent network while creation. Looking at various VPC details, it seems like the creation process auto creates private-service-access as described in the docs..
The problem - For Vault database secret-engine, Vault needs to be able to access the DB to dynamically generate secrets.
I have tried creating VPC network peering between main-network
and vault-network
and verified (via netcat) that I can successfully reach machines in the main-network
from machines in the vault-network
.
However, I cannot reach the DB instances from the nodes in vault-network
.
Is it possible to share the access to private-service with a peered vpc network?
I don't want to make the DBs public unless it's the only way.
I reached out to the Google support for our account and asked them about this problem and they confirmed that it's not possible to have a transitive VPC peering
VPC peering is not transitive, this scenario is not possible using VPC peering between the VPC networks:
Cloud SQL <[VPC Peering]> VPC “main-network” <[VPC Peering]> VPC “vault-network”.
Creating a shared VPC defeats the purpose of creating a separate network in the first place as it would make the vault nodes directly accessible in the shared VPC.
The Google guy suggested to create a VPN:
As a workaround, you could create a VPN between the VPC networks “main-network” and “vault-network”:
Cloud SQL <[VPC Peering]> VPC “main-network” <[Cloud VPN]> VPC “vault-network”.
I need some time to think if we want to go down this path or not.
For now, I have whitelisted the NAT IP of the vault cluster in the settings.ip_configuration.authorized_networks
configuration of the database instance to give access to the vault network.
The down side of this is that the database has a public IP now which isn't necessarily bad as the firewall blocks public access to it.
Thanks to everyone for their suggestions.